Microsoft, Google move to tame Beast

Microsoft calls for adoption of TLS 1.1, RC4.

Microsoft and Google have moved to secure users against the SSL Beast attack.

The attack made shock waves last week after researchers Thai Duong and Juliano Rizzo demonstrated they could tamper with cipher block chaining (CBC) used in SSL encryption.

It went further than a similar attack demonstrated in 2001 by Bodo Moeller which found guesses can be made against CBC to determine the contents of plaintext blocks.

The researchers showed the Beast (Browser Exploit Against SSL/TLS) attack could de-construct a PayPal cookie passing over SSL between the webserver and user, and was able to compromise restricted user accounts.

But security researchers said it was unlikely to be widely exploited. It required a target's network to be already compromised, and had relied on a Java plugin applet to mitigate the same-origin policy (SOP), a feature that prevents modification to web site data from external domains.

The Java applet would be blocked by default in Google's Chrome browser.

Yet the researchers said the Java applet was only one method of bypassing SOP. Security expert Moxie Marlinspike went further, and said the Beast attack was more akin to a SOP-bug.

Microsoft had called for users to activate TLS 1.1 in browsers and for RC4 deployments to be priortised.

"You can prioritise the RC4 algorithm in server software in order to facilitate secure communication using RC4 instead of CBC.," Microsoft said in an advisory.

"The client or server with which you are communicating must support the RC4 algorithm. If support for RC4 is not available, a different cipher suite will be used if one is available, and this workaround will be ineffective."

Mozilla published correspondence dating back to June between Duong as its researchers who discussed various methods to mitigate the attack.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.